Scenario: Setting up cross-realm trust
Here are the prerequisites and objectives for setting up cross-realm trust on your network.
Situation
You are a security administrator for a large wholesale company. Currently you manage security for systems used by employees of the Order Receiving Department and the Shipping Department.
You have configured a Kerberos server for the Order Receiving Department.
You have configured network authentication service in the System i™ environment in that department to point to that Kerberos server. The Shipping Department consists of a System i product that has a Kerberos server configured in i5/OS® PASE.
You have also configured network authentication service on this System i product to point to the Kerberos server in i5/OS PASE.
Because users in both realms need to use services stored on systems located in each department, you want both of the Kerberos servers in each department to authenticate users regardless of which Kerberos realm they are located in.
Objectives
In this scenario, MyCo,
Inc. wants to establish a trust relationship between two existing Kerberos realms. One realm consists of a Windows® 2000 server acting as the Kerberos server for the Order Receiving Department. This server authenticates users within that department to services located on a System i platform.
The other realm consists of a Kerberos server configured in i5/OS PASE on one System i platform,
which provides services for the users within the Shipping Department. Your users need to be authenticated to services in both departments.
The objectives of this scenario are as follows:
- To give clients and hosts on each network access to the other's network
- To simplify authentication across networks
- To allow ticket delegation for users and services in both networks
Details
Here is a detailed description of the environment that this scenario describes, including a figure that shows the topology and all major elements of that environment and how they relate to each other.
Order Receiving Department
System A
- Runs i5/OS V5R3,
or later, with the following options and licensed programs installed:
- i5/OS Host Servers (5722-SS1 Option 12)
- iSeries™ Access for Windows (5722-XE1)
- Network Authentication Enablement (5722-NAE) if you are using i5/OS V5R4, or later
- Cryptographic Access Provider (5722-AC3) if you are running i5/OS V5R3
- Has network authentication service configured to participate in the realm ORDEPT.MYCO.COM. The i5/OS principal,
krbsrv400/systema.ordept.myco.com@ORDEPT.MYCO.COM, has been added to the Windows 2000 domain.
- System A has the fully qualified host name of systema.ordept.myco.com.
Windows 2000 server
- Acts as the Kerberos server for the realm, ORDEPT.MYCO.COM.
- Has the DNS host name of kdc1.ordept.myco.com.
- Each user within the Order Department has been defined in Microsoft® Active Directory on the Windows 2000 server with a principal name and password.
Client PCs
- Run Windows 2000 operating system.
- PC used to administer network authentication service has the following products installed:
Shipping Department
System B
- Runs i5/OS V5R3 with the following options and licensed programs installed:
- Has a Kerberos server configured in i5/OS PASE with the realm of SHIPDEPT.MYCO.COM.
- Has network authentication service configured to participate in the realm SHIPDEPT.MYCO.COM. The i5/OS principal,
krbsrv400/systemb.shipdept.myco.com@SHIPDEPT.MYCO.COM, has been added to the i5/OS PASE Kerberos server.
- Both System B and the i5/OS PASE Kerberos server share the fully qualified host name systemb.shipdept.myco.com.
- Each user within the Shipping Department has been defined in the i5/OS PASE Kerberos server with a principal name and password.
Client PCs
- Run Windows 2000 operating system.
- PC used to administer network authentication service has the following products installed:
Prerequisites and assumptions
In this scenario, the following assumptions have been made to focus on the tasks that involve establishing a trust relationship between two pre-existing Kerberos realms.
System A prerequisites
- All system requirements, including software and operating system installation,
have been verified.
To verify that the required licensed programs have been installed, follow these steps:
- In iSeries Navigator,
expand your system > Configuration and Service > Software > Installed Products.
- Ensure that all the necessary licensed programs are installed.
- All necessary hardware planning and setup have been completed.
- TCP/IP and basic system security have been configured and tested on System A.
- Network authentication service has been configured and tested.
- A single DNS server is used for host name resolution for the network.
Host tables are not used for host name resolution.
The use of host tables with Kerberos authentication might result in name resolution errors or other problems. For more detailed information about how host name resolution works with Kerberos authentication, see Host name resolution considerations.
System B prerequisites
- All system requirements, including software and operating system installation,
have been verified.
To verify that the required licensed programs have been installed, follow these steps:
- In iSeries Navigator,
expand your system > Configuration and Service > Software > Installed Products.
- Ensure that all the necessary licensed programs are installed.
- All necessary hardware planning and setup have been completed.
- TCP/IP and basic system security have been configured and tested on your system.
- Network authentication service has been configured and tested.
Windows 2000 server prerequisites
- All necessary hardware planning and setup have been completed.
- TCP/IP has been configured and tested on your server.
- Microsoft Active Directory has been configured and tested.
- Each user within the Order Department has been defined in Microsoft Active Directory with a principal name and password.
Configuration steps
To set up a trust relationship between two realms, complete these steps.
- Completing the planning work sheets
Before setting up cross-realm trust, complete these planning work sheets. - Ensuring that the Kerberos server in i5/OS PASE on System B has started
Before you configure cross-realm trust, you need to ensure that the i5/OS PASE Kerberos server has started. - Creating a cross-realm trust principal on the i5/OS PASE Kerberos server
To create a cross-realm trust principal on the i5/OS PASE Kerberos server, follow these steps. - Changing encryption values on i5/OS PASE Kerberos server
To operate with Windows workstations, you need to change the Kerberos server default encryption settings so that clients can be authenticated to the i5/OS PASE Kerberos server. - Configuring the Windows 2000 server to trust SHIPDEPT.MYCO.COM
Now that you have configured System B to trust the ORDEPT.MYCO.COM realm, you need to configure the Windows 2000 server to trust the SHIPDEPT.MYCO.COM realm. - Adding the SHIPDEPT.MYCO.COM realm to System A
You must define the SHIPDEPT.MYCO.COM realm on System A so System A can determine where to find the i5/OS PASE Kerberos server within the SHIPDEPT.MYCO.COM realm.
Parent topic:
Scenarios: Using network authentication service in a Kerberos network